Cyber Ninjas’ believes strongly in actively giving back. This not only means that annually we donate a significant portion of company profits to support charitable causes, but we also actively volunteer to make the organizations a success. This has included providing teaching assistants and instructors for the US Cyber Challenge to train the next generation of cyber security professionals, as well as annually packing and helping hand deliver over 20,000 Christmas presents to children in Haiti with Hand To the Plow. As we entered the new year, we wanted to give a little briefing about some of the causes that we regularly support, and talk about why we support them.

Hand to the Plow

Hand to the Plow was founded in 1983 after a group of individuals took a work trip to Haiti, and had their lives forever changed. Since that first trip in 1983, they have traveled to Haiti regularly bringing clothes, food, gifts, and encouragement; and helping to both fund and build projects such as wells, water cistern’s, schools and churches. All the work in Haiti is done in partnership with Phyllis Newby, who is a long-term fellow servant and friend. Phyllis helps run a center in Haiti which includes an orphanage and medical center, and serves as an outpost to help support over 230 different schools and a similar number of churches; representing over 40,000 people. Every single year a small group of 20-30 Hand to the Plow volunteers purchase, package up, and deliver to Haiti over 20,000 Christmas gifts. These are delivered in schools across the country, complete with a telling of the Christmas story. They give to Haiti, because Christ first gave to us.

Cyber Ninjas supports Hand to the Plow because we believe in their mission, and their works embodies many of the core principals that this company was founded on. We believe that all people were created equal, that true leadership is service to others, and that the best work is in building people. Hand to the Plow conducts all their work with their co-laborers in Haiti as equals, serving where requested and needed; while also helping educate and build people that can then serve others. This is done from a Christian worldview, which is at the center of both Hand to the Plow and Cyber Ninjas’ leadership. The demonstration of this worldview, however, is something that all faiths can appreciate; and Christians and non-Christians alike in Haiti benefit from.

The US Cyber Challenge

The US Cyber Challenge was founded in 2009 with the mission of finding America’s best and brightest, and connecting them to a career in Cyber Security; in order to help answer the workforce shortage in the industry. Annually a national competition is run where the high scorers are invited to a week-long cyber security boot camp that culminates in a four-hour Capture-The-Flag (CTF) competition. Winners from prior years are encouraged to come back as teacher’s assistance, and eventually as instructors.

Cyber Ninjas supports US Cyber Challenge because we believe in the mission of the organization, and we know personally that what they’re doing is effective. As we attempt to attract and recruit talent we are constantly confronted with the shortage of qualified people in the field. The US Cyber Challenge helps solve this problem, while again also encouraging service and giving back. On a personal level, our CEO, Doug Logan; started in the US Cyber Challenge as a participant its first year in 2010; and through his involvement over the years he’s seen it propel his own and other’s careers.

With the work we do with the US Cyber Challenge, we’re constantly asked about resources that might aid someone in their knowledge working towards a Cyber Security Career. To that end, we’ve assembled the following set of resources that other’s may found useful. This is a list we most commonly give out when recruiting at Career Fairs and anywhere else where someone is specifically interested in Application Security.

If you’re excited about Cyber Security, and find yourself working through a good part of this; please also take a look at our careers page. We’re constantly looking for good talent, and we believe strongly in hiring entry-level people and helping train them in the field.

Items in bold and italics are those resources we heavily recommend, and should be what you start with.

Other

SARASOTA, Fla. (Dec. 10, 2015) Doug Logan, CEO and Principle Consultant for Sarasota-based Cyber Ninjas, has been named a winner of the prestigious SANS 2015 Difference Makers Award, to be presented during the organization’s Cyber Defense Initiative Dec. 15 in Washington, D.C.

“I am grateful and humbled by this award,” Logan said. “It reflects the level of innovation at Cyber Ninjas, plus our commitment to training the next generation of cyber security experts on a national level.”

The SANS 2015 Difference Makers Award recognizes and celebrates those individuals whose innovation, skill and effort have driven real advances in information security. “While there is no shortage of publicity around failures in security, there are thousands of security practitioners out there who are quietly succeeding and making breakthroughs in advancing security,” the organization said, announcing the award.

Logan was honored for his continued work with the non-profit, U.S. Cyber Challenge, whose mission is to identify, attract, recruit and place the next generation of cyber security professionals to fill the gap within the cyber security workforce. “The USCC is doing great things”, Logan said, “We’re grateful to be able to be a part of it at Cyber Ninjas.”

This past year, Logan put more than 300 hours into working with a few other individuals in the USCC to create a competitive game that teaches and tests cyber security related concepts. It’s referred to as a CTF, or “Capture The Flag,” because competitors must solve challenges to uncover the answers to questions (the flags), boosting a team’s score. Many of the flags they must first capture involve taking advantage of a security vulnerability in order to compromise a system, and all of the challenges were designed to teach security concepts.

“Every year there are a number of CTF events put on at security conferences across the country”, Logan said, “What was different about our CTF is that it was designed to teach real world security concepts and techniques. CTF’s in general have historically been aimed at testing capabilities rather than teaching, and many of them are simply a collection of eclectic puzzles with little real-world application. We chose to break this mold with our CTF”.

Logan said he operates Cyber Ninjas under some specific goals.

“I want to bring new people into the security field to start solving the real problems,” he said. “And I want to educate those I work with to build knowledge and capabilities within the organizations.”

He said that too many security companies do not train but create a system so their clients can’t do anything on their own, and hence they “need” the consultant. “My attitude is if we solve complex challenges and teach others to do the same, there will always be more complex challenges to solve,” he said. He believes that helping out with the USCC is a great, tangible way, to accomplish these goals, while giving back to the community to create a more secure tomorrow.

“At Cyber Ninjas, it is our business to make the world more secure,” Logan said. “As a Christian company, we also believe we have a responsibility to serve, as Christ served. Helping the USCC is a great way to be a blessing to others, while helping combat evil hackers.”

Logan, who moved Cyber Ninjas to Sarasota from Indiana in early 2014, has more than 15 years of experience across a wide area of IT, and a passion for teaching. He both understands the intricacies of the technology, people, and processes and how to communicate the challenges and solutions in a way that management can understand and use.

SARASOTA, Fla. (Sept. 23, 2015) “” We’ve all read the stories of major corporate data breaches such as the Office of Personnel Management, Anthem Insurance, Target, Blue Cross Blue Shield, Harvard University, Army National Guard and more. But less well-known is that 60 percent of small businesses go out of business within one year of a cyber breach, and even large businesses can be crippled.

“With data breeches, ransomware and cyber espionage on the rise, the success of a company now is directly linked to its cyber strategy,” Logan said. “Failure to account for the growing risks can mean major financials losses and company failure.”

Among Cyber Ninjas’ guarded list of clients is the federal government in Washington, D.C. Founder Doug Logan is an acknowledged expert in operating on the leading edge of cyber strategy and is known nationally for his teaching on the subject.

During the luncheon presentation, Logan will review the current cyber security threat landscape,Â modern cyber adversaries, why they may be interested in your organization, common ways and terminology associated with how they might get in, and what you can do in your organization to mitigate these risks, regardless of your size.

“Every company needs to have a strong presence on the Internet and most conduct business over it,” Logan said. “This opens a portal to criminals and hackers. Everyone is a target.”

Doug Logan has more than 15 years of experience across a wide area of IT, and a passion for teaching. He both understands the intricacies of the technology, people, and processes and how to communicate the challenges and solutions in a way that management can understand and implement.

I’ve often had people ask me, “How can hackers be stopped?”, and immediately expect that there is a quick, succinct, list of items that is going to make an organization completely hack proof. This is simply not the case. Preventing an application or infrastructure from being hacked is like preventing a car crash. The car and the road can be checked for defects. The vehicle can be validated to have the correct configuration for the environment and the drivers can be trained in defensive driving techniques. Even with these precautions defects can be missed, the environment can change, and drivers can make mistakes. Any of these could result in a car crash. Accepting this risk is one of the requirements of being on the road. Likewise, it’s impossible to completely remove the risk of being hacked if your organization is on the information superhighway, but there are a lot of things you can do to reduce the likelihood and impact.

Testing for Defects

Within the information security field testing for defects is usually referred to as a “Vulnerability Assessment”, “Ethical Hacking”, “Penetration Testing (aka Pen Testing)”, or “Red Teaming”. What is involved in each of these terms is different, but all seek to discover defects that could potentially allow attackers to do bad things. We more commonly refer to these as “security vulnerabilities”.

What should be tested for defects?

Within the car example; defects in the vehicle, tire configuration, road, stop-lights, or signs could all result in a car crash. Likewise in the information security arena almost any defect in anything running on your network (Routers, Servers, Databases, Applications, Facilities, wires, processes, and people) could result in your organization being hacked. What should be tested is generally broken into four categories: Network, Application, Social and Physical.

Network assessments focus on the “roads”, “stop-lights” and “signs” that make up the environment. This includes firewall configurations, server ports, and known problems with common applications that make up the infrastructure (Router Software, Web Server, Application Server, etc.).

Application assessments focus on the “cars” that use the roads. This includes each one of the individual applications that is used by the business (Web Sites, mobile applications, desktop application, etc.).

Social assessments focus on the “drivers” that use the applications. This includes anyone that uses any of the applications anywhere within the organization, and involves trying to get them to do things that they should not.

Physical assessments also focus on the “roads”, and “cars”, but from a physical standpoint. This includes seeing if a person can physically get to sensitive locations within your office building to gain access to network, servers, or other sensitive data.

Testing all four areas gives a reasonable assurance that it would be difficult to get hacked. Focusing on only one of these areas could be a formula for disaster. Consider the situation where there is a newly paved road, with an old clunker driving down it with bald tires, leaking gasoline, with a bumper dragging causing sparks. What is the probability that the vehicle will be in an accident if it’s used frequently? The information security equivalent of this happens all the time. An organization will get a network assessment of their infrastructure, and thereby assume the applications on their network are also secure. This is rarely true, and this thinking can be attributed at least a handful of the large data breaches.

Who should test for defects?

Within the car industry the expectation is that the manufacturer is going to test any new vehicle for safety issues and create a secure product. This is regulated by the government, and there is clear legal precedent holding the manufacturer accountable when it has not been done. This allows consumers to feel confident that they need not know much about vehicles to validate that a vehicle is reasonably safe when purchased new. Within the Information Security field this is a completely different story.

There aren’t currently any regulations which require manufacturers of software to create software which is up to a clearly defined security standard. In addition, the legal precedent is still being established to determine how much, if at all, software manufactures can be held accountable for security defects. As a result, while the software manufacturer *SHOULD* test for security vulnerabilities, there isn’t typically a huge incentive for it to be done. Add in the fact that there is a wide range of levels of experience among individuals creating software, and that even among Computer Science college graduates only a small percentage have taken even a single class which contained a single section on secure programming, and it seems that most anyone who uses an application should at least kick the tires.

How thoroughly should defects be tested?

Determining what level defects should be tested for is directly associated with the impact a flaw would cause. For example, if a car was only going to be driven for 1 mile, at 15 mph, once a month, on a completely straight road, which has almost no traffic, a defect with the car that could pop the tire would not be as big of a deal. Likewise if an application is only used by a handful of users, and a full compromise of the machine would not reveal any sensitive data, or prevent business form being done, then it may make sense to do little or no testing. If on the other hand the application allowed the transfer of millions of dollars’ worth of money, or controlled the life-support of an individual, it would probably be advisable to have at least one pretty extensive ethical hacking engagement performed on the software. This would probably make sense even if the manufacturer of that software stated they had their own assessment done.

Conclusion

The risk of being hacked can never be completely eliminated, but it can be greatly reduced. The important thing is that you take a look at the risks to your organization present in the four different areas of information security, and be sure that your organization is doing something in all four areas appropriate for the level of risk. This may mean requiring your vendors to go through 3rd party security audits, having your own min-assessments conducted, or having an extensive assessment conducted. If you need help determining what your risks are, what to ask your vendors to do, or to have actual work performed, please feel free to reach out to us. We offer a free 1-hr initial consultation for new customers, and can refer you to other organizations if what you require is not in our area of expertise. The information superhighway would be a much safer place if a more organizations did some tire kicking.

In honor of our move to Sarasota, FL, Cyber Ninjas is offering Sarasota area businessesÂ a 25% discount on all servicesÂ that are booked priorÂ to our move date of May 1st, 2014.

In order to qualify:

The business must be located within Sarasota or Manatee Counties in Florida.

There must be a Statement-of-Work actively being worked on by the May 1st, 2014 deadline.

The Statement-of-Work must be signed by both parties by May 16th.

The project must start before November 1st, 2014.

Please note that this discount can not be applied to any tools, software, or other direct expenses which may be incurred during the cost of the engagement and are reimbursable under the terms of the contract.

SARASOTA – Cyber-security consulting and software firm Cyber Ninjas is moving from Bloomington, Indiana to Sarasota in May with plans to add 8-10 employees after two years.

“Sarasota is a great place to live, which will help us attract and retain top employees,” said Doug Logan, CEO and Principal Consultant for Cyber Ninjas. “Its proximity to both the Sarasota and Tampa airports will also allow our consultants to spend less time traveling, and more time in paradise.”

Cyber Ninjas helps companies build cyber security throughout their organizations with education, tools, policy and process development. In addition, Cyber Ninjas offers ethical hacking where they simulate what an attacker would do to an application in order to discover security issues before they become a problem. Most of the company’s work involves building capabilities within an organization to allow them to create secure software.

“Nothing teaches security better than a real, live, example of a security vulnerability within an application that the individual is intimately knowledgeable about,” Logan says.

Cyber Ninjas offers live classes and one-on-one cyber mentoring to teach the skills necessary to test digital, online security and will be rolling out several computer-based classes for a more self-paced study.

Doug Logan has extensive experience in the full-range of cyber security issues. He opened the Bloomington office of Cigital, the world’s largest software security firm, and in one year grew from 3 people to more than 20, and from 10 assessments a month to more than 250.

Logan also is deeply involved with the U.S. Cyber Challenge (USCC), a program of the Council on CyberSecurity, designed to locate and train cyber security talent to significantly reduce the shortage in our country’s cyber security workforce. Originally identified by the program after he was a high scorer on a USCC-sponsored competition, Logan has continued his commitment to the workforce development cause by volunteering as an instructor for the USCC Cyber Camps for the last two years.

The Economic Development Corporation of Sarasota County has been assisting Cyber Ninjas with their decision to relocate.

“Certainly we are all very aware of how important it is to make our use of technology safer and more secure,” Mark Huey, CEO and President of the EDC. “Cyber Ninjas will be a valuable addition to the growing hi-tech industry in the County.”